Robert Watson wrote:
On Sat, 27 Sep 2008, Robert Watson wrote:
Rather than shadowing global variable 'lookup' in
check_uidgid(), rename
it to ugid_lookupp. This should make debugging issues with ipfw uid
rules easier.
Still panics:
Something seems odd here, we may be looking at an ipfw bug. The goal
of passing down the inpcb is that ipfw doesn't have to look it up
(and hence avoids acquiring locks in ipfw on the outbound path) --
the stack arguments clearly show it held in ipfw, but locks are
acquired anyway. This particular change was purely cosmetic, but
I'll review the ipfw code more closely and see about a fix...
Indeed -- when an inpcb doesn't have a socket, ipfw will go ahead and
do a lookup for an inpcb even though one is passed down. I've
committed a change that short-circuits that and marks the credential
lookup as failed. Give it a try now?
Thanks a lot, Robert, it was indeed simple effective fix. So far no crash :)
With loads like pkg_adding emacs (which adds bunch of other packages) on
plain CURRENT, downloading
FreeBSD ISO with axel (20 simultaneous connection) through http works
fine here.
test# ipfw show
00040 1184006 673239338 allow ip from any to any uid root
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
65000 60 7426 allow ip from any to any
65535 0 0 deny ip from any to any
test#
Ganbold
Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
--
If it ain't broke, don't fix it.
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
